AV Software Isn't Dead, But It's Not Healthy

dasButcher writes "Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no, but more is needed. Her answer: reputational analysis. Not a bad idea, but many have tried and failed to make this type of approach work. We've seen it all before: RBLs, integrity grading, etc. What will make this different? If we're not careful, Trend Micro might give us all a bad Web reputation. "

The fewer the merrier

[Reverse Gear]

I sure am not a big security expert, so forgive my n00bish words here.

I don't remember where, but at some point I read somebody, probably a sys-admin, saying that if you really want security then what you need to do is disable all the things you do not need. Not by default to allow everything and then pick the things you do not want, but go the other way around and make the default to not allow anything and then enable the things you need.
I guess this is one of the reasons I like Gentoo so much, I know everything that is installed on the system and I can remove it if I don't like it.
I don't like to install all kinds of things that I do not know what is and do not know if I can trust. The more things I have installed the more vulnerabilities I also have.

One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.

Trivial answer!

[VincenzoRomano]

Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no.

If you ask an Oil company whether oil derived fuel engines are dead, they'll answer the same way.

The first 3 rules of computer security.

[khasim]

#1. There is no security without physical security.

#2. Run only what you absolutely need.

#3. Run it with the minimum rights possible.

The reason that Trend Micro's "new" approach will fail is ... rather long. Follow along for a moment.

a. Vulnerability is found and exploit is written.
b. Exploit needs to be distributed.
c. Exploit is distributed via a quick spam flood - they have no protection against this.
d. Exploit is posted on a web site - how do the bad people drive traffic to that site?
e. They use a compromised site. They hide the exploit in a directory that robots.txt says not to scan. Either Trend Micro violated robots.txt or it cannot find the exploit.
f. So Trend Micro will have to violate robots.txt and that behaviour should be noticeable. So the bad guys would hide that file from something that looks like a webcrawler that doesn't respect robots.txt.

And we're back at the beginning.

Reputation does not prevent spread of viruses...

[Dr. Zowie]

... otherwise there would be no syphilis in the world.

Seriously, there is a pretty direct analogy between (digital epidemiology, computer viruses) and (real epidemiology, real germs). If there were a simple answer to the digital problem, it's a good bet that some population or other would have adopted the analogous strategy to the real epidemiology problem.

STDs offer a good analogy for digital viruses with a Trojan-style (no snickers, please) strategy. In both cases sharing of {data|fluids} yields immediate benefit at some risk. In both cases, populations have adopted reputational strategies to avoid spreading/contracting viruses. In neither case do those strategies work.

Even with near-perfect "antivirus software" (the antibiotic penicillin), the old monsters of syphilis and gonorrhea still remain on the planet, and penicillin-resistant strains have even evolved. One problem is that reputations are hard to establish and not necessarily accurate; another is that most humans tend to discount future risks in favor of immediate benefits.

Interestingly, the reason that the traditional venereal diseases are treated with penicillin injections (and not an oral course) is that, statistically, patients are unlikely to finish the oral course -- a properly completed oral course of penicillin is as effective as the traditional three injections. There is perhaps a lesson to be learned there about how effective corporate data-hygiene strategies are likely to be.

Re:The fewer the merrier

[laffer1]

At first, this sounded like a good idea. Consider though that the OS still needs to have code to detect what the USB device is. So windows must see hey i've got a USB mouse or whatever and then load the service for it. That means the service is started later after scripts have time to bork the environment, and many services common on desktops will get triggered eventually anyway. So an attacker or rather his script may have to wait some time to get his malware executed but it will still occur. Since the service is not started early in the boot process, the environment could be tainted as well.

There is a balance between good security and flat out disabling valuable functionality. This balance is why Microsoft made Windows so open to begin with. They didn't see any threat and wanted users to be able to do whatever they wanted. (minus view the source code and customize at that level)

One problem with open source is that we don't have everything users want yet. A typical end user wants to be able to surf, edit photos, read email, IM, listen to music, watch DVDs and run office productivity software. Then you start getting to specialized groups like people who use financial software, play games, develop software, engineering apps, math apps, etc. At the same time, these users expect usb devices, sound cards, tv tuners, printers, and any other thing they plug-in to just work. Some linux distros have this down, but there is no consistency in applications. Many projects actually have to put up translation lists telling the user what the browser, im client and things are called. IE = firefox, MSN = gaim and so on. When you start disabling services, things start to break or become more difficult for the user. It doesn't mean everything should be on (who needs an echo server running).

So your idea may work for a subset of services or kernel modules, but we need other approaches to secure many services. Lets face it the approach may not be right, but trend micro is correct in assuming they need some new tricks. Vista is slightly more secure than previous versions of windows and as such malware authors are going to step up to the new challenge. So detection software must also improve. Its like the transition from telnet to ssh. For awhile, I felt *safe* using ssh because there were so many other targets on a clear channel to attack. As more people migrate to vista, or better systems the type of attacks will change.

Your idea requires validation that loading a service is really necessary and safe.

Re:Effort going in the wrong places

[OriginalArlen]

Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure.

Now far be it from me to defend the great satan, but to be fair Microsoft have spent a lot more than that on improving security since Bill "got it" and sent his memo back in, what was it, 2003? They still haven't trained themselves to make the right call when it comes to usability vs functionality (see UAC, and so on and on) but Vista is a lot more secure out of the box than XP SP2 - which itself was an improvment over 2000. (Which, admittedly, was worse than NT4 which was worse than 3.51, but that's beside the point.)

It probably won't show up in the botnet stats even once Vista is ubiquitous, though, as you still have to allow the user to install arbitrary binaries, which means the attacker just has to fool them. And they've had a lot of practice with that over the last few years. There IS no technical solution to this, unless you completely close the ecosystem - prevent the user installing arbitrary executables, shut down the internet as we know it -- or find an infalliable on-demand method of deducing what a given program is going to do; and if you've got a solution to the halting problem, I'm sure we'd ALL like to hear it ;)